Update - June 16, 2023: The second vulnerability mentioned in the June 12 update now has an assigned CVE number: CVE-2023-35036. On June 15, a third SQL injection vulnerability was released. This new vulnerability also has been assigned a CVE number: CVE-2023-35708.
These vulnerabilities are SQL injection issues and exploitation could result in modification, deletion and/or disclosure of MOVEit database content. These newly discovered vulnerabilities are distinct from the previously reported vulnerability that MOVEit shared on May 31, 2023.
Update - June 12, 2023: According to MOVEit, there are additional vulnerabilities (CVEs pending MITRE) that a bad actor could potentially use to stage an exploit. These vulnerabilities are SQL injection issues and exploitation could result in modification, deletion and/or disclosure of MOVEit database content. These newly discovered vulnerabilities are distinct from the previously reported vulnerability that MOVEit shared on May 31, 2023.
It's important to note that unlike the previous zero day, these vulnerabilities were discovered as a part of an internal code audit. Currently, there is no known exploitation of these vulnerabilities. At this time, MOVEit is recommending that all MOVEit Transfer customers apply the new patch, released on June 9, 2023. Please refer to MOVEit’s full advisory here for next steps.
On May 31, threat actors were discovered targeting a critical zero day in MOVEit Transfer software resulting in escalated privileges and unauthorized data access. The vulnerability being exploited is an SQL injection and has since been patched. Resources links, including one for the patch, are at the bottom of this post.
MOVEit Transfer is a managed file transfer (MFT) solution developed by Ipswitch (a subsidiary of Progress Software). Those of you that have been around IT for a stretch might remember Ipswitch's popular FTP software (WS_FTP). It is used by organizations to securely transfer files for business partners and customers.
All MOVEit Transfer versions are affected by this vulnerability. As of June 2nd, Shodan searches for public facing MOVEit instances show over 500 systems that directly have MOVEit in the service headers and over 2,500 systems using the the MOVEit favicon (which suggests the system is using MOVEit even if the service headers provide don't show that. Although it equally suggests any of the other services that Progress Software offers). See Figures 1 and 2.
Trustwave is diligently monitoring the situation for client exposure and associated attacks and will provide updates here as we have them.
|
|
|
Figure 1: Shodan results based on service headers |
Figure 2: Shodan results based on favicon hash |
After exploitation, the threat actor drops the file "human2.aspx" on the system. This webshell supports several parameters, triggering specific actions depending on the parameter used.
These parameters are:
|
Parameter |
Values |
Description |
|
X-siLock-Comment |
static password |
Without this parameter being set top the proper password, the system will return a HTTP 404 error code |
|
X-siLock-Step1 |
-2, -1, NULL |
Primary parameter used for access |
|
X-siLock-Step2 |
Folder ID |
Specifies a directory |
|
X-siLock-Step3 |
File ID |
Specifies a filename |
Assuming the X-siLock-Comment is set with the proper password string, the X-siLock-Step1 will define what actions are taken on the exploited system as follows:
|
X-siLock-Step1 value |
Action |
|
NULL |
The file defined by X-siLock-Step2 and X-siLock-Step3 will be downloaded. |
|
-1 |
This returns critical Azure Blob information including Storage Account, Key, and Container IDs. It will also return a list of all files and folders stored in MOVEit, the file owners and file sizes, as well as all institution names mentioned in the MOVEit instance. This would allow the attacker to target specific files associated with specific users or organizations. |
|
-2 |
This deletes the new database admin user named “Health Check Service” admin user, presumedly to clean up and cover their tracks after a compromise |
All versions of MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), 2023.0.1 (15.0.1) are affected. Progress Software has released an official patch which is available here: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
However, prior to applying the patch, Progress recommends admins take the following actions.
Audit and delete any unauthorized files and user accounts.
On the MOVEit Transfer server, look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory.
On the MOVEit Transfer server, look for new files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline
Remove any unauthorized user accounts.
Review logs for unexpected downloads of files from unknown IPs or large numbers of files downloaded.
Reset service account credentials for affected systems and MOVEit Service Account
Note: A full table of IoCs is available below
After the update has been applied, you can re-enable all HTTP and HTTPS traffic to your MOVEit Transfer environment. You'll also want to verify that the compromise has been fully addressed by going back through the actions in Step 2 above.
Additional Detection Options
Additional Security Best Practices
|
Indicator |
Type |
|
C:\Windows\TEMP\[random]\[random].cmdline |
Folder Path |
|
human2.aspx |
Filename |
|
human2.aspx.lnk |
Filename |
|
POST /moveitisapi/moveitisapi.dll |
HTTP Request |
|
POST /guestaccess.aspx |
HTTP Request |
|
POST /api/v1/folders/[random]/files |
HTTP Request |
|
Health Check Service |
User Account |
|
5.252.189.0/24 |
CIDR |
|
5.252.190.0/24 |
CIDR |
|
5.252.191.0/24 |
CIDR |
|
198.27.75.110 |
IPv4 |
|
209.222.103.170 |
IPv4 |
|
84.234.96.104 |
IPv4 |
|
138.197.152.201 |
IPv4 |
|
209.97.137.33 |
IPv4 |
|
148.113.152.144 |
IPv4 |
|
89.39.105.108 |
IPv4 |
|
5.252.23.116 |
IPv4 |
|
5.252.25.88 |
IPv4 |
|
198.12.76.214 |
IPv4 |
|
Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.5195.102+Safari/537.36 |
User Agent |
|
dojustit[.]mooo[.]com |
Domain |
|
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\[random]\[random\App_Web_[random].dll |
Filename |
|
0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 |
SHA256 Hash |
|
110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286 |
SHA256 Hash |
|
1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2 |
SHA256 Hash |
|
2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59 |
SHA256 Hash |
|
58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 |
SHA256 Hash |
|
98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8 |
SHA256 Hash |
|
a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986 |
SHA256 Hash |
|
b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03 |
SHA256 Hash |
|
cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621 |
SHA256 Hash |
|
ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c |
SHA256 Hash |
|
0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 |
SHA256 Hash |
|
110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286 |
SHA256 Hash |
|
1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2 |
SHA256 Hash |
|
2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59 |
SHA256 Hash |
|
58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 |
SHA256 Hash |
|
98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8 |
SHA256 Hash |
|
a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986 |
SHA256 Hash |
|
b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03 |
SHA256 Hash |
|
cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621 |
SHA256 Hash |
|
ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c |
SHA256 Hash |
Progress link: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
NIST CVE-2023-34362: https://nvd.nist.gov/vuln/detail/CVE-2023-34362